checkov

Feature

• arm: Handle another structure for SQL retention policy - #5210

Bug Fix

• secrets: limit line length for custom secrets - #5208
• terraform: Update GCP checks for plan files - #5197

Feature

• sca: removing the using of the constant CHECKOV_DISPLAY_REGISTRY_URL - #5204

Feature

• general: add checkov_diff pre-commit hook for scanning all changed files - #5192

Bug Fix

• cloudformation: fix CKV_AWS_33 to consider deny statements - #5193

Documentation

• general: Update pre-commit.md - #5190

Feature

• arm: and bicep: Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 - #5049

Bug Fix

• general: handle cloned checks filtered via labels - #5188
• terraform: adjust CKV_AZURE_6 to comply with new provider version - #5189

Feature

• arm: Handle arm db servers 2021 05 01 - #5187
• terraform: Mark unresolved tf function calls as unresolved - #5186

Documentation

• general: Add Enforcement CLI Command - #5185

Feature

• terraform_plan: Expose field changes to python checks - #5112

Bug Fix

• general: Check that the result is not None before extracting vars in cli multiprocess runs - #5183
• general: Correctly handle cli graphs in case we run with multiprocessing - #5177

Bug Fix

• kubernetes: dont' fail if spec is missing and default value is set to the fix value. - #5167

Feature

• arm: ARM and bicep checks for CKV_AZURE_121 - #5029
• terraform: Ensure Application Gateway defines secure SSL protocols CKV_AZURE_217, 218 - #5027
• terraform: Ensure Azure firewall sets threatintelMode to Deny - #5013
• terraform: Ensure firewall defines a policy - #5038
• terraform: Ensure Firewall policy has IDPS mode as deny - #5039

Bug Fix

• dockerfile: support platform flag in CKV_DOCKER_11 - #5170
• terraform: support condition in IAM policy data blocks - #5171
• terraform: Unable to download Terraform modules from JFrog Artifactory - #5155

Feature

• ansible: add support of inline suppression for Ansible graph checks - #5143
• terraform: Use just AWS regex to check EC2Credentials - #5159

Bug Fix

• cloudformation: fix evaluate_default_refs func in cfn - #5164
• general: fix SARIF output related to security-severity field - #5160
• terraform: adjust CKV_AWS_85 to only look for one log type to pass - #5162
• terraform: update latest major version of Postgres to v15 - #5163

Platform

• general: Add no upload flag and report contributors for all API key runs - #5052

Bug Fix

• kubernetes: fix extracting k8s nested resources - #5146
• sca: suppression - fix unit testing - #5158
• sca: suppression is not working on SCA packages - #5156

Feature

• terraform: don't fail CKV_AWS_2 on un-rendered value - #5147
• terraform: Foreach support resources edges - #5145

Bug Fix

• terraform: exclude unrestrictable actions in CKV_AWS_355 and CKV_AWS_356 - #5135

Documentation

• general: Update operators with examples - #5137

Feature

• general: Added computation of git_root_path to igraph serialization - #5107
• sca: adding validation for the file_line_number - #5132
• terraform: foreach remove error from info log. - #5139

Bug Fix

• terraform: Should use UNKNOWN rather than skipped - #5136

Feature

• terraform: extend CKV2_AWS_5 with new resources - #5129
• terraform: IAM limit resource access - #5015

Bug Fix

• kustomize: fix empty kustomize file crash - #5131

Platform

• general: SBOM lines numbers adjusting - #5127

Feature

• sca: adding the risk factor v2 to the vulnerability details - #5108
• sca: dockerfile image-referencer fixes - #5120
• secrets: Add new pre-commit hook for secrets - #5103
• terraform: add check to look at star resources - #4996

Bug Fix

• gitlab: Skipping image blocks without name attribute - #5126
• terraform: fix terraform variable rendering for provider alias - #5124

Platform

• general: Enhancing Sarif output with Security Severity Level - #5074

Feature

• secrets: add jwt detector to the secret runner - #5116
• terraform: Adding yaml based build time policies for corresponding PC runtime policies - #5089
• terraform: AWS Ensure RDS performance insights uses a CMK - #4985
• terraform: NACL should restrict port ingress - #4976
• terraform: RDS Enable Performance insights - #4983

Bug Fix

• dockerfile: improve update searching in CKV_DOCKER_5 - #5115

Documentation

• general: Update CLI Command Reference.md - #5114

Feature

• general: add SPDX output - #5104
• kubernetes: seperate service acoount builder to improve performance - #5093
• sca: showing line numbers in the cli output for csv - #5096
• sca: showing line numbers in the cli output for licenses - #5098

Feature

• dockerfile: Support docker graph check skips - #5085
• sca: using the lines in the directly in the record, rather than in the "vulnerability_details" + having it in ExtraResources - #5092

Feature

• kubernetes: Improve k8s perf - #5083
• terraform: EMR - At rest local disk, EBS and in transit encryption checks - #4968

Bug Fix

• kubernetes: add mini k8s parser for invalid templates - #5088
• terraform: handle false-positives for Route53ZoneEnableDNSSECSigning - #5084

Platform

• general: Add lines to SBOM - #5078
• graph: upload graphs to the platform - #5073

Bug Fix

• terraform: skip invalid multiple modules names - #5079

Bug Fix

• sca: only run image referencer with sca_image framework - #5081